The term “computer network” generally refers to a system for enabling communication between or among computers or equivalent computing devices. When configured to include a server providing a directory service, the computer network becomes an integrated distributed computing environment, hereinafter “networked environment”, where authenticated computing devices and users of these devices can utilize network resources, such as by using or sharing data or attached peripherals, or communicate with each other. Communication on a networked environment is commonly achieved by using a “network packet,” or sometimes simply referred to as a “packet.” The term “network traffic” is commonly used to refer to either a single packet or collective group of packets that are traversing on the networked environment at a given moment.
Access to these network resources are typically governed by an authentication process. In the context of network security, authentication is a process of verifying the identity claimed by a network entity, such as a user, sometimes referred to as a real user, seeking access to the networked environment. Authentication typically includes requiring the real user to engage in a logon process by entering a user name and password on a computing device or equivalent network entity. The device will request credentials from an authentication service provided by the networked environment. If the authentication service successfully authenticates the submitted user name, it returns a session key which permits the real user to obtain access to network resources, including data, limited typically only by the security policy defined for that authenticated user name. This session key has a limited lifetime and usually remains valid until the authenticated user name is logged off by the real user employing the user name. In addition, network event logging may also be used to record information pertaining to certain events that occur on the networked environment, including for example, logon attempts, whether successful or not, made during the authentication of a user name, and logoff events.
However, the above approach for limiting and governing access to network resources to a networked environment has its limitations. Network logon authentication relies on a trusted computing concept. Once a user name is authenticated, that user name becomes a trusted network entity on the networked environment and has access to network resources, such as data, on the networked environment usually limited by only the security policy defined for that authenticated user name and the lifetime of the session key granted. Monitoring of the real user's activities on the networked environment after authentication is thus limited to network authentication event log information, which provides a limited amount of information that renders difficult any attempt to ascertain the real user's activities on the networked environment. Consequently, a need exists for monitoring network traffic, and more particularly, for associating certain packets according to a selected category, such as identity information, including user name, group id, organization unit, user object, host name or other category, by using event log information maintained on the networked environment.